summaryrefslogtreecommitdiffstats
path: root/glustolibs-gluster/glustolibs/gluster/auth_ops.py
blob: 9d812c192cb4afa047e4733b6435803f1dcb4809 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
#  Copyright (C) 2017-2018  Red Hat, Inc. <http://www.redhat.com>
#
#  This program is free software; you can redistribute it and/or modify
#  it under the terms of the GNU General Public License as published by
#  the Free Software Foundation; either version 2 of the License, or
#  any later version.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License along
#  with this program; if not, write to the Free Software Foundation, Inc.,
#  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

"""
    Description: This contains the gluster volume auth allow and
    reject operations
"""
from glusto.core import Glusto as g
from glustolibs.gluster.volume_ops import get_volume_options


def set_auth_allow(volname, server, auth_dict):
    """
    Set authentication for volumes or sub directories as required

    Args:
        volname(str): The name of volume in which auth
            has to be set
        server(str): IP or hostname of one node
        auth_dict(dict): key-value pair of dirs and clients list
            Example: auth_dict = {'/d1':['10.70.37.172','10.70.37,173'],
                '/d3/subd1':['10.70.37.172','dhcp37-999.xyz.cdf.pqr.abc.com']}
            If authentication has to set on entire volume, use 'all' as key.
                auth_dict = {'all': ['10.70.37.172','10.70.37,173']}
                'all' refers to entire volume
    Returns (bool):
        True if all the auth set operation is success.
    """
    auth_cmds = []
    if not auth_dict:
        g.log.error("Authentication details are not provided")
        return False

    # If authentication has to be set on sub-dirs, convert the key-value pair
    # to gluster authentication set command format.
    if 'all' not in auth_dict:
        for key, value in auth_dict.iteritems():
            auth_cmds.append("%s(%s)" % (key, "|".join(value)))

        auth_cmd = ("gluster volume set %s auth.allow \"%s\""
                    % (volname, ",".join(auth_cmds)))

    # When authentication has to be set on entire volume, convert the
    # key-value pair to gluster authentication set command format
    else:
        auth_cmd = ("gluster volume set %s auth.allow %s"
                    % (volname, ",".join(auth_dict["all"])))

    # Execute auth.allow setting on server.
    ret, _, _ = g.run(server, auth_cmd)
    if (not ret) and (verify_auth_allow(volname, server, auth_dict)):
        g.log.info("Authentication set and verified successfully.")
        return True
    return False


def verify_auth_allow(volname, server, auth_dict):
    """
    Verify authentication for volumes or sub directories as required

    Args:
        volname(str): The name of volume in which auth
            has to be set
        server(str): IP or hostname of one node
        auth_dict(dict): key-value pair of dirs and clients list
            Example: auth_dict = {'/d1':['10.70.37.172','10.70.37,173'],
                '/d3/subd1':['10.70.37.172','10.70.37.197']}
            If authentication has to set on entire volume, use 'all' as key.
                auth_dict = {'all': ['10.70.37.172','10.70.37,173']}
                'all' refers to entire volume
    Returns (bool):
        True if the verification is success.
    """
    auth_details = []
    if not auth_dict:
        g.log.error("Authentication details are not provided")
        return False

    # Get the value of auth.allow option of the volume
    auth_clients_dict = get_volume_options(server, volname, "auth.allow")
    auth_clients = auth_clients_dict['auth.allow']

    # When authentication has to be verified on entire volume(not on sub-dirs)
    # check whether the required clients names are listed in auth.allow option
    if 'all' in auth_dict:
        clients_list = auth_clients.split(',')
        res = all(elem in clients_list for elem in auth_dict['all'])
        if not res:
            g.log.error("Authentication verification failed. auth.allow: %s",
                        auth_clients)
            return False
        g.log.info("Authentication verified successfully. auth.allow: %s",
                   auth_clients)
        return True

    # When authentication has to be verified on on sub-dirs, convert the key-
    # value pair to a format which matches the value of auth.allow option.
    for key, value in auth_dict.iteritems():
        auth_details.append("%s(%s)" % (key, "|".join(value)))

    # Check whether the required clients names are listed in auth.allow option
    for auth_detail in auth_details:
        if auth_detail not in auth_clients:
            g.log.error("Authentication verification failed. auth.allow: %s",
                        auth_clients)
            return False
    g.log.info("Authentication verified successfully. auth.allow: %s",
               auth_clients)
    return True